CDIS PL Class #1

Learning about the ecossystem

CDIS UNICV © Tiago Cruz (tjcruz@dei.uc.pt)

Back to the playground
Guess what we got ?
The testbed process (again)
HMI

The process

Variable
Frequency
Drive (VFD)
Testbed topology

HMI

PLC 2 PLC 1
The process

VFD*

Temp Sensor

Motor
*Variable Frequency Drive
Process HMI
What do we want to achieve ?
Some examples

• Demonstrate IACS operation

• Perform recognition/exploration tasks

• Analyse SCADA protocols and understand its weaknesses

• Plan and execute attacks

• Deploy protection countermeasures

How a PLC works

Input Output
Input& User Output&
Image image
Modules Area
program
area Modules

Physical Physical
Input Output
Channels Channels

FI

Process& PLC Process&

Sensors Actuators

!
8
The Modbus protocol

§ Serial communication protocol invented in 1979 by

Modicon (now Schneider Electric).

§ Originally designed for serial cables, has been

meanwhile ported to TCP/IP.

§ Developed for industrial application.

§ Royalty-free.

§ Probably the most widely used standard for industrial

communications.
The Modbus protocol

§ Master / Slave protocol

§ Usually the “SCADA server” (or the HMI) take the
role of Master, and PLCs take the role of slaves.
§ Master must regularly poll the slaves to get
information
§ Modbus addresses are 8 bits long, so only 247
slaves per master
§ There is no object description: a request returns
a value, without any context or unit
The Modbus protocol

What about security ?

§ Cleartext communications
§ No authentication
§ While there is a recent update of the protocol
to support encrypted communications, it is
seldom used
Modbus message format
TransactionID ProtocolID Length UnitID

IP$Header TCP$Header MBAP$Header Function$Code Data

Name Length Function

Transaction identifier 2 For synchronization between
master and slave
Protocol identifier 2 Zero for Modbus/TCP
Length field 2 Number of remaining bytes in the
frame
Unit ID 1 Slave address
Function Code 1 Operation
Data bytes n Returned data
Modbus Communications

PLC
HMI

19 bd 00 00 00 06 01 03 00 81 10

Func
TransID Data
Code
19 bd 00 00 00 23 01 03 20 03 52

Master Slave
1/7/23 13
Function codes
§ Standard Modbus operations allow to read and write
data from/to a device
§ There are also functions for other purposes
(diagnostics…)
§ Undocumented Modbus function codes do exist

Function name FC
Read coils 1
Write single coil 5
Read holding registers 3
Write single register 6
Write multiple registers 16
R/W multiple registers 23
1/7/23 14
 Function codes

1/7/23 15

Source: https://www.picotech.com/library/oscilloscopes/modbus-serial-protocol-decoding. © Pico Technology.

Data types
§ Modbus-accessible data is normally stored in one of four data banks
or address ranges: coils, discrete inputs, holding registers, and input
registers.
§ The names may vary: holding registers may be referred to as output
registers, and coils may be referred to as digital or discrete outputs.
§ The data banks define the type and access rights of the contained
data.
§ The Modbus-accessible data is generally a subset of the device’s
main memory.
Memory block Data type Master access Slave access
Coil Boolean R/W R/W
Discrete inputs Boolean R R/W
Holding Unsigned word R/W R/W
registers
Input Registers Unsigned word R 1/7/23 R/W16
Data addressing
Modicon convention

§ The notation originally used by Modicon is still often used today,

even though considered obsolete by present Modbus-IDA standards.
§ The advantage in using the Modicon notation is that two pieces of
information are included in a single number: (a) The register type;
(b) The register number.
§ A register number offset defines the type.
§ Registers are addressed starting at zero.
Therefore, input registers numbered 1-16 are addressed as 0-15.

0x = Coil = 00001-09999
1x = Discrete Input = 10001-19999
3x = Input Register = 30001-39999
4x = Holding Register = 40001-49999
1/7/23 17
 Data addressing
IEC/Quantum convention

§ Quantum 800 series I/O modules follow a system of flat address

mapping.
§ To work properly. each module requires a determinate number of
bits and/or words.
§ The IEC addressing system is equivalent to the 984LL register
addressing. Use the following assignments:

0x is now %Mx
(ex: 000001 is now %M1)
1x is now %Ix
(ex: 100101 is now %I101)
3x is now %IWx
(ex: 301024 is now %IW1024)
4x is now %MWx
(ex: 400010 is now %MW10) 1/7/23 18
A small attack taxonomy

1/7/23 19
TCP connection

1/7/23 20

J. Chuang, “Transport Layer: TCP and UDP”, IS250, U. Berkeley

 A small attack taxonomy
Network reconnaissance - FIN scan
(More stealthy, but prone to unreliability)

Port State • •• • ••• ••• •••••• • • • Port State

•••• ••••

FIN
Switch
FIN 2
2

1 PLC
HMI1 1 • ••••••••• ••
• • • •••••• •••
Attacker
•• ••• ••• •••

Attacker
Control System Network

1/7/23 21

RFC 793: "Traffic to a closed port should always return RST” – but SYN/FIN may work…
New rules ?

“There is a golden rule when scanning industrial

networks: never, ever, scan a live industrial
network. Industrial networks are often full of old
devices with little or no exception handling to deal
with received malformed packets (the type network
scanners use). Therefore, consequences can be
completely fortuitous and even dangerous,
including physically threatening situations. You have
been warned: avoid scanning industrial networks
while active.”
Mikel Iturbe, in Scanning industrial networks
(http://iturbe.info/2014/10/scanning-industrial-networks/)
22
Some valuable pieces of advice
§ Port scanning can cause trouble for a pentester and disclose
an attacker.
§ OS Fingerprinting is usually dangerous
§ Don't use the -O or -A flags in nmap
§ Most problematic on embedded devices not running Windows
or Linux
§ – Scanning too fast is another problem
§ Use nmap's -T2 (sets timing at at 0.4 seconds per host)
§ Or use nmap's --scan-delay to scan 1 port at a time per host
§ Don't use the -sU option in nmap (null requests may be fatal
for weak network stack implementations)
§ When in doubt, perform packet capture and analysis instead
 Some advice
From the NIST SP800-82 document.

1/7/23 24
NIST SP800-82, “Guide to Industrial Control Systems (ICS) Security”
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
A small attack taxonomy
Modbus device scan/enumeration
Stage 2:
Modbus Devices Modbus (Error) Reply
Enumeration If UnitID is correct

Modbus (Malformed)
Switch
Request
UnitID=[1-247] 2

1 PLC
Loop until get
Attacker positive replies Or continuosly
because of
Disclaimer: You may not even need potential
nothing of this but it can be usef ul gateway s
to understand the device y ou are
talk ing to
Attacker
Control System Network

1/7/23 25
A small attack taxonomy
Flooding -> Loss of visibility

1/7/23 26
 A small attack taxonomy
MiTM, part I: ARP poisoning

ARP Spoofed ARP Spoofed

• •• • ••• •• Reply
Reply
• • • ••••••• •• •

2 2
Switch

1 1
PLC
HMI1
Attacker

(spoofed) ARP Cache Table: (spoofed) ARP Cache Table:

ip_plc è mac_atacker ip_hmi è mac_atacker
Attacker
Control System Network

1/7/23 27
A small attack taxonomy
MiTM, part II: TCP hijacking
R/W Coils
R/W Coils Reply
Stage 2: Request
TCP Hijacking

8
Switch

1 2 6 5

3 7
PLC
HMI1
Attacker

(spoofed) ARP Cache Table: (spoofed) ARP Cache Table:

ip_plc è mac_atacker ip_hmi è mac_atacker
Attacker
Control System Network

1/7/23 28
Mix ‘n match

§ DoS with ARP Poisoning

§ DoS With Write All Coils FC
§ DoS With Write All Register FC
§ DoS With Write Single Coil FC
§ DoS Write Single Register FC

There is much, much more…

1/7/23 29
Next steps
Recommended reading
The Modbus protocol specification:
http://www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf
Attacking SCADA systems: A practical perspective
http://ieeexplore.ieee.org/document/7987369/
Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark
https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-
attack-modbus-tcp-illustrated-wireshark-38095
Also, if you want to play with Modbus:
https://github.com/whit-schonbein/modbussim (slave)
https://sourceforge.net/projects/qmodmaster (master)

If you feel such a need, review your basic knowledge about the TCP/IP
stack and associated protocols. 1/7/23 30
Preparing our toolset
(after class)

Considering the time restrictions, your

instructors already performed most of these
steps for you, but anyway they are kept in the
slides for informational purposes, so you can
understand how the VMs were prepared.

31
 Already done to save time
Our toolset
Kali Linux
§ A purpose-specific Linux distribution for pentesting
and hacking
§ We are going to use it in our classes

Available at: https://www.kali.org

You can download ready-to-use
VM appliance images from:
(but we are going to install from a local ISO file)
https://www.kali.org/get-kali/

32
 Our hypervisors
u We have one VMware ESXi 6.7 hypervisor server
at your disposal, at address “10.254.0.243”
• ESXi credentials for ALL GROUPS:
• user: Student pass: Kaliucv%23
• Then each group has its own VM.
• The initial credentials for your VM are
• user: kaliucv pass: Kaliucv%23
• but each group should change its password, to prevent
unauthorized access from other groups
u 1st activate the remote access to the University of
Coimbra VPN.
u Then access the ESXi (10.254.0.243) via web browser.
33
Installation notes e
(from local ISO)
t i m
v e
a
Configure a VM (1 VM per group of 2 students) with the following

s
requisites:

o
• OS: Other Linux (64-bit)
• 2 vCPUs
t
• 4GB RAM
30GB HDD (datastore: DS2)
n e
o
•

d
• 3 Network Interfaces (e1000)

y
• 1st on Port Group VM Network

d
• 2nd on Port Group TestbedPG
• 3rd

e a
on Port Group TestbedMirrorPG

r
• Configure virtual CD ROM to be associated with datastore file

A l
(.iso file located in LOCAL_DS\ISO\Kali-linux….)

1/7/23 34
 The network connections of your VM
u Your VM has three network interfaces:
• Eth0: IP Network connected to the internet
• Eth1: Scada Field Network
• Eth2: Scada Field Network (mirror)
• Eth0 is your entry point in the VM, and is accessible
whenever you use the Coimbra VPN (both via ESXi or
directly by ssh). Its address should be 10.254.0.xx (use
ifconfig to verify).
• Eth1 and Eth2 are connected to the SCADA field network.
Initially they have no predefined IP, so you can stealthy
scout the network

35
For instance, for one of the VMs…

36
Installation notes e
t i m
v e
s a
Sometimes, when configuring the network interfaces, the
sequence that appears does not correspond to the assigned
vNICs of the VM.

t o
n e
In some cases, the last NIC detected by Kali Linux was the

d o
first one of the VM (placed on the VM Network), and you
should configure this one with DHCP.

d y
and then eth2.
e a
When installing Kali you should start by trying with eth0

lr
A 1/7/23 37
 Installation notes e
(post-install)

t i m
e
First, check if the main network adapter has

v
an ip (you can use the ifconfig or ip addr

a
show command). If you don’t have an IP in
the 10.254.0.x range, please configure the
network adapter. s
t o
n e Associate the correct device
(eth0) to the interface. If it

d o doesn’t work use eth2.

d y
e a
lr
Select “Automatic (DHCP) addresses
only”
A 1/7/23 38
Installation notes

SSH is not bundled by default.

n e
Open a terminal and install it:
sudo apt-get install libc6-dev
d o
sudo apt-get update
d y
sudo apt-get install ssh
e a
sudo dpkg-reconfigure openssh-server
lr
a
if
sudo systemctl enable ssh

k
sudo systemctl start ssh

e c
C h 39